Dansguardian: Internet filtering software for Linux

Post image for Dansguardian: Internet filtering software for Linux

by bledsoe on March 30, 2009

Even though I had installed Linux on my home computer a couple of months ago, I hadn't set up user accounts for my kids yet because I wanted to install internet filtering software, and the process is a little intimidating for newbies.  Once I finally got around to it, however, installation wasn't that difficult, so I'm posting this in case it might be useful for others.  Note that I'm using Ubuntu, though as far as I know these steps will work for other Linux distros as well.

The steps outlined below are taken from a series of posts to the Ubuntu forums called HOWTO: Install Dansguardian on a single desktop AND for a network, primarily the initial post by tonhou.  (I made a few changes, but about 90% is lifted straight from his post.)  Note that while you will have to use the command line to install and configure the necessary files, it's really not that complicated.  I futzed around for a long time (without success) trying to find a GUI that would hold my hand thru the process, and when I finally sighed and went with the steps below, it was remarkably painless.

First, a quick overview.  To set up internet filtering on your Linux box, you're basically going to be installing three separate apps: Dansguardian, Tinyproxy, and FireHOL.  Dansguardian is the primary app and includes a number of config files which you can modify to reflect the types of things you want to filter for your users.  Tinyproxy is a proxy server, an app that sits between your browser and the internet to manage the web page requests going out and the web pages coming in; it essentially evaluates all the requests for web pages based on the Dansguardian filtering rules that you set up.  It's also small and fast, as compared to other more full-featured proxy servers like Squid.  And FireHOL is firewall software, an app designed to keep your computer safe from any malicious code that might attempt to invade your computer system.  These three apps work together to create the internet content filtering system for Linux.

Step 1: Use Synaptic to download and install Dansguardian, Tinyproxy, and FireHOL - This is fairly straightforward, assuming you've used the Linux package manager Synaptic before.

Step 2: Edit dansguardian.conf and "reconfigure" dansguardian - Open a terminal window and type "sudo gedit /etc/dansguardian/dansguardian.conf" in order to edit the dansguardian configuration file.  The only thing you need to do is comment out the line that reads "# UNCONFIGURED" (that is, delete the "#").  Then execute the command "sudo dpkg-reconfigure dansguardian".  (Note: When I executed this  command, I got a warning that "starting dansguardian failed," but I ignored it and everything turned out fine.)

Step 3: Edit FireHOL.conf - From withing your terminal window, execute the command "sudo gedit /etc/firehol/firehol.conf"

Add all of the following at the start of the document:

iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP

transparent_squid 8080 "root root"

interface any world
policy drop
protection strong
client all accept
server cups accept
#server webcache accept

(Note: You will need to remove "interface any world . . ." further on in the document.)

Note also that if you're setting up dansguardian on a single computer connected to the internet (which is what I did), you want to be sure and leave the "#" in front of the phrase "server webcache accept".  If you take out the "#", you're leaving your system wide open for anyone on the internet to access.  (I think the only reason you would uncomment this line is if you were configuring a machine to serve as a gateway for an internal network of computers, but that's a slightly more sophisticated undertaking.)

Step 4: Edit FireHOL - From within your terminal window, execute the command "sudo gedit /etc/default/firehol"

Make sure the file has the following line:

START_FIREHOL=YES

This is to allow restarting of the firewall.

Step 5: Edit Tinyproxy.conf - From within your terminal window, execute the command "sudo gedit /etc/tinyproxy/tinyproxy.conf"

Change/add the following lines (scroll through the document):

User root
Group root
Port 3128
ViaProxyName "tinyproxy"

Step 6: Restart each program - From within your terminal window, execute the following commands, in this order:

sudo /etc/init.d/tinyproxy restart
sudo /etc/init.d/firehol restart
sudo /etc/init.d/dansguardian restart

I got a warning after executing the last command that said one of my FireHOL files was more than 90 days old and I should update it.  I ignored that also.

Step 7: Update the Dansguardian list files - While dansguardian should now be working, you may discover that it's blocking a lot more websites than you wanted.  (In my case, it was blocking pretty much every site on the internet.)  Now's the time to check out the different files that dansguardian uses to perform its filtering. You'll find them in the directory /etc/dansguardian/lists.  In particular, you'll want to edit the files bannedphraselist and weightedphraselist.  I uncommented all the pornography and adult-related lines and left most of the rest commented out, which seemed to make things work as I had hoped.

I still don't understand how all of the configuration/list files work, and some of the game sites that my sons visit don't work as they should, but I was pleased just to get dansguardian up and running.

Previous post:

Next post: